Full Disclosure mailing list archives
Re: HTTP AUTH BASIC monowall.
From: Tim <tim-security () sentinelchicken org>
Date: Mon, 13 Mar 2006 18:02:21 -0500
Although something else may have been intended by using the phrase "password-authenticated key agreement", lets not forget that's all PKI is - key agreement based on verifying a password. At the server end, the site admins password is verified e.g. for SSL servers At the client, if you're lucky, the user chose a hard to crack password.
Hmm... Your terminology is sounding a bit off. Passwords are symmetric keys. PKI stands for Public Key Infrastructure. I think what you mean here is that the server's public key (contained in the certificate) is verified based on a provided signature/challenge generated by the server's private key, and by signatures of "trusted" certificate authorities, along with a whole host of other things. Sure the site admins may protect their private key with a password, but even if they don't, it has nothing to do with the PKI. As for the client side, they usually use passwords, but they may also use client-side certificates in SSL with no password at all.
That, and the access controls on each ndpoint is all that authenticates any PKI-based schema.
True, if you are worried about local attackers at the endpoint. These access controls are usually permissions in conjunction with a symmetric key (password). tim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- HTTP AUTH BASIC monowall. Simon Smith (Mar 13)
- Re: HTTP AUTH BASIC monowall. Matthijs van Otterdijk (Mar 13)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 13)
- Re: HTTP AUTH BASIC monowall. Matthijs van Otterdijk (Mar 13)
- Re: HTTP AUTH BASIC monowall. Jeremy Bishop (Mar 13)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 13)
- Re: HTTP AUTH BASIC monowall. Jeremy Bishop (Mar 13)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 13)
- RE: HTTP AUTH BASIC monowall. Lyal Collins (Mar 13)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 13)
- RE: HTTP AUTH BASIC monowall. Lyal Collins (Mar 13)
- Re: HTTP AUTH BASIC monowall. Jeremy Bishop (Mar 13)
- RE: HTTP AUTH BASIC monowall. Lyal Collins (Mar 13)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 13)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 13)
- Re: HTTP AUTH BASIC monowall. Matthijs van Otterdijk (Mar 13)
- Re: HTTP AUTH BASIC monowall. Pavel Kankovsky (Mar 13)
- Re: HTTP AUTH BASIC monowall. Keith (Mar 13)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. Michael Holstein (Mar 15)
- Re: HTTP AUTH BASIC monowall. Valdis . Kletnieks (Mar 15)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)